[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind accepts any password where the real password is a prefix?

To: openldap-technical@openldap.org
Subject: Re: Bind accepts any password where the real password is a prefix?
From: Edward Capriolo <edlinuxguru@gmail.com>
Date: Tue, 26 Jan 2010 21:28:53 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=0aOyfUTEPOYyY1iAS4Owodfu7BeebfD9eowxw3LAOVo=; b=IZ/DVs8JtNLEBydH9u0nXyn1324qKRu0LG3jmbxtsTChOvjX6Bs7btCnJ0ObLRdbI5 HN6jtJE+CRsHwZ+dSlaxktmBHcvDvMa/mq8kkfWunEJ/xqzO7Nd+kE7Om3d4yHcGXC3/ rC00fl4hc/uogqQDI+cF2N+ID+3GZ9PR/jVrk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=vwb619CdIz2KsNniLGcOtAPewWcGO1T4mdWB/4ttdyNlKtuTjkpT8Q8qnytsSuJFnN QqxT/1FspD8r6M5lGccvEqBA50CdzMQnZflcizpabccJCJX5WIaX1KeryG2Mt6CGniFN kOJRXvdXQUvLP0xoWgwj5j5lnVWOtyQqg57mo=
In-reply-to: <31ccf0f11001261117h25b97143wb42f0ae6d63dce1c@mail.gmail.com>
References: <31ccf0f11001261117h25b97143wb42f0ae6d63dce1c@mail.gmail.com>

On Tue, Jan 26, 2010 at 2:17 PM, Christopher Kenna <cjkenna@gmail.com> wrote:
> Greetings,
>
> We are running OpenLDAP at our organization to do authentication for
> Linux machines.  One strange thing I noticed is that I can bind to the
> server using my password, or *any* password that contains my actual
> password as a prefix.  Let me explain with an example.
>
> Suppose my password is "banana" (it's not).  Then these passwords work
> to bind to the database:
> - banana
> - banana2
> - bananafjksdfs
>
> But these won't work:
> - mbanana
> - banan
>
> I'm testing this with this command:
> ldapsearch -x -W -ZZ -H ldap://<server_address>.com \
>    -b dc=mydomain,dc=com \
>    -D 'uid=<my_uid>,ou=people,dc=mydomain,dc=com' \
>    '(uid=<my_uid>)'
>
> Any ideas about why this happens? Thanks.
>
>  -- Chris
>

A buddy of mine once told me his company thought they were setting
1024 character passwords, but they were using des and only the first 8
characters were used.

It may be that your system is using des passwords

http://grex.org/staffnote/sun/passwd.xhtml

References:
- Bind accepts any password where the real password is a prefix?
  - From: Christopher Kenna <cjkenna@gmail.com>

Prev by Date: Re: LDAP logging
Next by Date: meta database - password problems with one target
Index(es):
- Chronological
- Thread